This KB will give an example of how to setup a DLP agent group based on a specific AD group.
Release : 15.x, 16.0
Step 1: Create the Agent Attribute
Follow these steps to create the Agent attribute:
Sample Screenshot:
Click Save
On the next screen click "Apply Changes"
Step 2: Create the Agent group based off of the newly created Agent Attribute
The group will now start to be applied to DLP agents where the logged in user is part of the specified group. This will happen over time as the agents check in with the detection server.
Explanation:
In Step 1 we created a DLP agent attribute by using a search filter to get the entire memberof AD attribute from the AD user object. This typically includes all of the groups that the AD user is in. The value is the full LDAP response with multiple entries, for example: (CN=<group1 name>,OU=<OU Name>, OU=Groups,DC=<Domain>,DC=net CN=<group2 name>,OU=<OU Name>, OU=Groups,DC=<Domain>,DC=net). The actual value of the result can be viewed by using the query resolver tool.
In Step 2 we evaluate the entire string and use wild cards to search for the group name we want to check for, such as the "new hire" group. By adding the asterisks as wildcards in front and in back it searches the string for that value. If that value is found in the LDAP response for the user logged into the DLP agent machine, then the agent is added to that group.
This could be modified to be based on any value in the AD user object (compnay, department, state, etc) by changing the memberof attribute value in step 1 to the preferred AD user attribute.
This is an example / template of how the agent attributes can be used. DLP admins will need to work closely with AD / LDAP administrators to customize the solution to work best for their environment.
Important Notes: